Friday, February 17, 2012

Complete DHS Daily Report for February 17, 2012

Daily Report

Top Stories

• Citigroup agreed to pay $158.3 million to settle claims its mortgage unit fraudulently misled the government into insuring risky mortgage loans — more than one-third of which went into default — for more than 6 years. – Associated Press. See item 10) below in the Banking and Finance Sector.

• Twelve people in five states were infected with E. coli O26 in an outbreak linked to raw clover sprouts served at Jimmy John’s sandwich restaurants, the fifth-such outbreak linked to sprouts served at the eateries in the last 4 years. – Food Safety News (See item 15)

15. February 15, Food Safety News – (National) Outbreak linked to raw sprouts sickens 12. Twelve people in five states were infected with E. coli O26 in an outbreak linked to raw clover sprouts served at Jimmy John’s sandwich restaurants, the Centers for Disease Control and Prevention (CDC) said. Iowa reported five cases, Missouri three, Kansas two, while Arkansas and Wisconsin each reported one person infected with the outbreak strain, the CDC said in a report February 15. It said the onset of illnesses ranged from December 25, 2011 to January 15. Raw sprouts served on sandwiches at Jimmy John’s restaurants were associated with multiple food-borne illness outbreaks in recent years. In 2008, at least 19 E. coli O157:H7 cases were linked to alfalfa sprouts sold at Colorado Jimmy John’s restaurants. In 2009, 228 people became ill in Nebraska, Iowa, South Dakota, and Kansas after eating Salmonella-contaminated sprouts at several restaurants, including Jimmy John’s outlets. In late 2010, a 16-state Salmonella outbreak that struck 94 people was linked, in part, to alfalfa and spicy sprouts served at Jimmy John’s restaurants, while a separate outbreak of Salmonella a month later, which sickened 7 people in Oregon and Washington, was also tied to Jimmy John’s sandwiches. Following those outbreaks, the company announced it was switching from alfalfa sprouts to clover sprouts nationwide. The ill people ate at nine different Jimmy John’s locations in four states, the CDC reported. Source:


Banking and Finance Sector

10. February 15, Associated Press – (National) Citi to pay $158 million in mortgage settlement. Citigroup agreed to pay $158.3 million to settle claims its mortgage unit fraudulently misled the government into insuring risky mortgage loans for more than 6 years. The government said February 15 CitiMortgage certified 30,000 mortgages for insurance provided by the Federal Housing Administration and submitted many certifications that were “knowingly or recklessly false.” More than a third of those loans went into default, resulting in millions of dollars in losses for the government due to the insurance claims. As part of the civil fraud settlement, Citi accepted responsibility for failing to comply with government rules and submitting certifications that were fraudulent. The payments are in addition to the $2.2 billion Citigroup has to pay in connection with the $26 billion mortgage loan settlement announced the week of February 6 by the Justice Department and the nation’s top mortgage lenders. Since 2004, more than 30 percent of loans originated or underwritten by CitiMortgage went into default. CitiMortgage submitted certifications to the government that stated certain loans were eligible for federal mortgage insurance when they were not, according to the government. Source:

11. February 15, Orange County Register – (California) Man sought as ‘Snowboarder Bandit’ robs Anaheim bank. A man who robbed an Anaheim, California bank branch the week of February 13 is believed to be the “Snowboarder Bandit,” suspected of carrying out at least seven Orange County holdups, police announced February 15. Authorities have released surveillance photos of the man who walked into the Schools First Federal Credit Union branch about 2:50 p.m. February 13, handed a teller a note demanding cash, and left with an undisclosed amount of money. Officials believe the robber is the “Snowboarder Bandit,” who previously struck at bank branches in Irvine, Laguna Hills, Anaheim Hills, Ladera Ranch, and Corona del Mar. The bandit earned his name due to his “youthful appearance and the ski-type clothes” he has worn during the robberies, authorities said. Source:

Information Technology

28. February 16, H Security – (International) Flash Player update plugs exploited hole. Adobe released updates for Flash Player closing seven holes in the application. Six of the holes can be exploited to allow an attacker to infect a PC using crafted Web pages. The seventh is a cross site scripting hole that Adobe says is already being exploited in “active targeted attacks.” The attacks, which are only aimed at Internet Explorer on Windows, try to trick the user into clicking on a malicious link. Adobe said the hole “could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website.” Flash Player version and earlier on Windows, Macintosh, Linux, and Solaris, version and earlier for Android 4.x, and version and earlier for Android 3.x and 2.x, are all affected. Desktop Flash users should update to by downloading it from Adobe’s site. Android 4.x users should update to and Android 3.x and 2.x users should update to version by browsing to the Android Market Place for an update. Google’s Chrome browser, which embeds the Flash Player, was updated to version 17.0.963.56 on Windows, Mac, Linux, and Chrome Frame. The Chrome update also addresses 13 high, medium, and low severity security issues. Source:

29. February 15, Reuters – (International) Apple tweaks apps policy under lawmaker pressure. Under pressure from U.S. legislators, Apple Inc. moved February 15 to quell a swelling privacy controversy by saying it will begin to require iPhone and iPad applications to seek “explicit approval” in separate user prompts before accessing users’ address book data. Apple’s move came shortly after two members of the U.S. House Energy and Commerce committee requested the company to provide more information about its privacy policies. Recently, bloggers published findings that some of the most popular software applications in Apple’s App Store were able to lift private address book data without user consent. In a letter addressed to Apple’s chief executive, Democrats from California and North Carolina asked Apple February 15 to clarify its developer guidelines and the measures taken by the company to screen apps sold on its App Store. The letter came after Path, a startup that makes a social networking app, attracted widespread criticism the week of February 6 after a Singaporean developer found its iPhone app was uploading his contacts’ names and phone numbers onto Path’s servers. In the following days, other technology bloggers discovered that iPhone like Facebook, Twitter, Foursquare, and Foodspotting similarly uploaded user data — without permission, in some cases. Source:

30. February 15, H Security – (International) Java SE updates fix critical security holes. Oracle fixed 14 security holes in the Java Standard Edition (Java SE) with a critical patch update. The vulnerabilities allow attackers to use specially crafted Java WebStart applications or Web services to install malicious code on computers that run flawed versions of Java. Oracle said such flawed versions are particularly likely to exist on Windows computers because Windows users tend to have admin. privileges. The risk is smaller under operating systems such as Linux and Solaris, the company added. The holes, five of which are rated as maximum risk vulnerabilities, affect the JDK (Java Development Kit) and JRE (Java Runtime Environment) 7 Update 2, JDK and JRE 6 Update 30, JDK and JRE 5.0 Update 33, and SDK and JRE 1.4.2:35, and earlier releases of each. Versions older than JavaFX 2.0.2 are also affected. Oracle closed the holes in Java SE 7 Update 3, Java SE 6 Update 31, and JavaFX 2.0.3. The updates are available for Windows, Linux, and Solaris. Under Windows, the updates will be installed automatically via auto-update. Otherwise, the patches can be downloaded from the Java download page and installed manually. Source:

For more stories, see items 32, and 34 below in the Communications Sector.

Communications Sector

31. February 16, Agence France-Presse – (National) US regulators pull plug on LightSquared. U.S. telecom regulators pulled the plug on a plan to build a high-speed wireless broadband network, citing potential interference with GPS navigation devices. The Federal Communications Commission (FCC) said February 14 it was revoking permission for LightSquared to build a 4G-LTE network the company said would cover more than 90 percent of the United States by 2015. Explaining the decision, the FCC cited research done by the National Telecommunications and Information Administration (NTIA), the agency that coordinates spectrum use by the U.S. military and federal government. Source:

32. February 16, North Country Now – (New York) Slic internet service interrupted for about 3 hours in Potsdam, Canton and other areas. Internet service for many Slic Network subscribers was interupted for several hours February 15 and February 16 throughout parts of St. Lawrence County, New York. St. Lawrence County offices, the Potsdam Village Police, and Clarkson University were among a number of businesses and organizations reporting an inability to access the Internet. Shortly before 5 p.m., February 15, a representative of Nicholville-based Slic Network Solutions confirmed they were having problems and indicated the problem involved a circuit outside their network. Time-Warner subscribers in Potsdam and Massena reported they did not have outages. Source:

33. February 15, Radio World – (Wisconsin) Copper theft silences WZRK (AM). Copper theft at an AM station in southeast Wisconsin has become so bad the facility has asked the Federal Communications Commission (FCC) for permission to go off the air while it installs a system to prevent future thefts. GS Radio, the owner of WZRK 1550 AM Lake Geneva, said that twice now, “thieves have stolen the copper ground radials surrounding the WZRK tower, outside the fenced area surrounding the transmitter shed, and the AM tower itself.” GS told the FCC the copper radials must be replaced again. It asked the commission for permission to stay off the air “for a few months” to accomplish that, as well as devise a security system. Source:

34. February 14, ZDNet – (International) Nortel hacking attack went unnoticed for almost 10 years. According to a Wall Street Journal report, hackers who appeared to be working in China broke into Nortel’s computer networks more than a decade ago and over the years downloaded technical papers, research-and-development reports, business plans, employee, e-mails, and other documents, ZDNet reported February 14. The report said the hackers used seven passwords stolen from top Nortel executives, including the company’s chief executive officer (CEO), and maintained a persistent presence by hiding spying software “so deeply within some employees’ computers that it took investigators years to realize the pervasiveness of the problem.” The initial breach occurred as far back as 2000 but Nortel did not discover the threat until 2004, when an employee noticed that a senior executive appeared to be downloading an unusual set of documents, according to the internal report. Source:

For another story, see item 29 above in the Information Technology Sector.

Thursday, February 16, 2012

Complete DHS Daily Report for February 16, 2012

Daily Report

Top Stories

• A United Nations panel is calling for tougher inspections and detailed labeling of air shipments of lithium batteries following incidents in which aircraft were destroyed when freight shipments burst into flames. – Bloomberg (See item 21)

21. February 15, Bloomberg – (International) Burning batteries are risk to jets. Label them, UN says. A United Nations (UN) panel is calling for tougher inspections and detailed labeling of air shipments of lithium batteries following two incidents in which aircraft were destroyed when freight shipments burst into flames. The Dangerous Goods Panel at the UN’s International Civil Aviation Organization (ICAO) agreed February 15 to the new standards, said the Air Line Pilots Association’s head of hazardous-materials handling issues. Without new rules, lithium batteries that can spontaneously combust were projected to destroy one U.S.- registered cargo jet every other year, according to a study commissioned by U.S. and Canadian aviation regulators. Shipments of the batteries that include those used in mobile phones, tablets, and laptop computers were suspected of contributing to two U.S. cargo-jet accidents since 2006. The Rechargeable Battery Association, which represents companies such as Apple and Panasonic, said in a statement the ICAO’s recommendations were a “reasonable compromise.” The Federal Aviation Administration barred passenger flights from carrying non-rechargeable lithium batteries in 2004 because they if they catch fire, flames cannot be stopped by cargo compartment extinguishers. Under the proposed ICAO rules, all lithium battery shipments must be labeled as hazardous material. Companies that want to ship batteries must train employees on how to handle them. Airlines such as United Airlines or FedEx Corp. would have to inspect shipments before loading and removing them from planes. Pilots would also be notified when lithium batteries are loaded. A UPS Boeing 747-400 that caught fire 22 minutes after it left Dubai September 3, 2010, was carrying more than 81,000 lithium batteries, states a preliminary report by the General Civil Aviation Authority of the United Arab Emirates. The jet crashed at a military base while pilots tried to make an emergency landing. Both pilots died. Source:

• The maker of best-selling anticancer drug Avastin warned that counterfeit copies of the drug lacking active ingredients were distributed to health care facilities throughout the United States. – Associated Press (See item 31)

31. February 14, Associated Press – (National) Roche warns of counterfeit Avastin in U.S. The maker of the best-selling anticancer drug Avastin is warning doctors and patients about counterfeit vials of the product distributed in the United States, the Associated Press reported February 14. Roche’s Genentech unit said the fake products do not contain the key ingredient in Avastin, which is used to treat cancers of the colon, lung, kidney, and brain. The company believes drugs labeled with the following lot numbers may be fake: B86017, B6011, and B6010. The counterfeit products do not have “Genentech” printed on their packaging, which appears on all FDA-approved cartons and vials. A spokeswoman said the counterfeit drug was distributed to health care facilities in the United States. The company is working with the Food and Drug Administration to track down the counterfeit vials and analyze their contents. It said it was alerted to the problem by foreign health regulators and believes the counterfeits were imported from abroad. Additionally, legitimate Avastin contains a six-digit lot number with no letters. All the text on the product’s packaging is in English. Source:


Banking and Finance Sector

15. February 15, Bloomberg – (New York; International) Pentagon Capital must pay SEC $76.8 million for abusive trading. Pentagon Capital Management Plc, a closed United Kingdom hedge fund, was told by a judge February 14 to pay $76.8 million in a lawsuit filed in 2008 by the U.S. Securities and Exchange Commission (SEC) over allegedly abusive mutual fund trading. The U.S. district judge in Manhattan ruled the SEC proved its claim the hedge fund and its chief executive officer (CEO) engaged in a fraudulent scheme by making mutual fund trades after the 4 p.m. close of markets in New York. The judge ruled Pentagon Capital and its CEO must disgorge $38.4 million in improper profits. He imposed the same amount as an additional civil penalty. He ruled against the SEC’s claim Pentagon Capital committed fraud by making deceptive, rapid-fire transactions known as market-timed trades. Pentagon Capital said in 2008 it was closing and returning investors’ money because of the SEC investigation and civil suit.


16. February 14, Bloomberg – (New York; Kansas; International) Nasdaq, Bats sites attacked as trading systems unaffected. Nasdaq OMX Group Inc. and Bats Global Markets Inc., two of the three biggest operators of U.S. stock exchanges, said access to their Web sites was disrupted February 14 by attacks that flooded their systems with traffic. Both companies said their trading systems were unaffected. A spokesman for New York-based Nasdaq OMX and a spokeswoman for Lenexa, Kansas-based Bats confirmed the outages. For Nasdaq, its main Web page as well as, a market information site, were disrupted. NYSE Euronext, owner of the New York Stock Exchange, did not experience an outage, according to a spokesman. Nor did Direct Edge Holdings Inc., the fourth-largest U.S. exchange owner, a spokesman said. Source:

17. February 14, U.S. Federal Trade Commission – (National) FTC action leads to ban on alleged mortgage relief scammers who harmed thousands of consumers. At the request of the Federal Trade Commission (FTC), a U.S. district court February 14 put the mortgage relief business permanently off limits to marketers who allegedly charged thousands of consumers up to $2,600 each, based on bogus promises to provide loan modifications that would make mortgages more affordable. According to the FTC, the scheme caused consumer losses of nearly $19 million. All but two of the defendants settled with the agency, while the two other corporate defendants received default judgments. The FTC alleged the defendants used direct mail, the Internet, and telemarketing to target homeowners. The defendants typically asked for half of the fee up-front, falsely claiming a success rate of up to 100 percent, according to the complaint. They deceptively claimed they could prevent foreclosure, that they were affiliated with or approved by consumers’ lenders, and that they would refund consumers’ money if they failed to deliver promised services, according to the FTC. They told consumers not to contact lenders and to stop making mortgage payments, claiming that falling behind on payments would demonstrate hardship, the FTC alleged. The complaint charged U.S. Mortgage Funding, Inc., Debt Remedy Partners Inc., Lower My LLC, and four individuals with violating the FTC Act and the FTC’s Telemarketing Sales Rule. The court orders ban all the defendants from providing mortgage and debt relief services and telemarketing. Source:

18. February 14, KLAS 8 Las Vegas – (Nevada; International) Former attorney guilty in scheme to hide income from IRS. A former lawyer and author pleaded guilty to felony conspiracy, tax, and identity theft charges in a scheme to help individuals hide their income and assets from the Internal Revenue Service (IRS) and other creditors, a Nevada U.S. attorney said February 14. He pleaded guilty to conspiracy to defraud the United States, aggravated identity theft, and attempt to evade or defeat taxes. He faces up to 12 years in prison and $750,000 in fines. The defendant and two accomplices were indicted in July 2011 for a scheme in which they allegedly made more than $60 million. The indictment alleged that from 1998 to 2006, the defendants enriched themselves through the sale of services and products designed to help individuals conceal assets from the IRS and creditors. The service allowed clients to place funds in bank accounts held in the names of nominees, and created and maintained domestic corporations and offshore international business firms with obscured ownership. The company allegedly sold a business opportunity training program to at least 1,000 people for about $10,000 each, created roughly 2,500 disguised ownership corporations in Nevada for $795 each, opened more than 900 disguised ownership corporate bank accounts, and prepared more than 400 fraudulent liens. One man allegedly received more than 180 corporate tax referrals from the company and prepared more than 400 tax returns. From 2003 to 2006, the company allegedly received more than $63 million in deposits, made more than $62 million in withdrawals through one of its bank accounts, and sent more than $11 million offshore. Source:

For more stories, see items 37 and 41 below in the Information Technology Sector.

Information Technology

37. February 15, Computerworld – (International) Researchers crack online encryption system. An online encryption method widely used to protect banking, e-mail, e-commerce, and other sensitive Internet transactions is not as secure as assumed, according to a report issued by a team of U.S and European cryptanalysts. The researchers reviewed millions of public keys used by Web sites to encrypt online transactions and found a small but significant number to be vulnerable. In most cases, the problem had to do with the manner in which the keys were generated, according to the researchers. The numbers associated with the keys were not always as random as needed, the research showed. Therefore, the team concluded, attackers could use public keys to guess the corresponding private keys that are used to decrypt data — a scenario previously believed to be impossible. Source:

38. February 15, H Security – (International) Shockwave Player critical holes closed. Adobe updated Shockwave Player on Windows and Mac OS X to version after identifying nine critical vulnerabilities. The problems affect Shockwave Player and all earlier versions on Windows and Mac OS X. Adobe recommend updating to the new release by downloading it from To identify whether Shockwave Player is installed on a system, users should visit the test page on Adobe’s site. Most problems are in the Shockwave 3D Asset where seven memory corruption vulnerabilities could lead to code execution; these were all reported by a researcher from FortiGuard Labs. An eighth memory corruption issue and a heap overflow vulnerability, both of which could also lead to code execution, were reported by “instruder” of and bring the flaw tally up to nine. Source:

39. February 15, H Security – (International) Microsoft’s Patch Tuesday fixes critical vulnerabilities. Microsoft released 9 bulletins to close 21 holes in its products February 14. Four of the bulletins close critical vulnerabilities in Windows, Internet Explorer, .NET, and Silverlight, including an issue in the Windows kernel-mode drivers that became publicly known in December 2011. The company advises those responsible for prioritizing update deployment to focus on critical patches for Internet Explorer and the C Runtime Library in Windows, as these could be exploited by an attacker to remotely execute arbitrary code. For an attack to be successful, a user must first visit a malicious Web page or open a specially crafted file. The other critical bulletins fix issues in .NET and Silverlight. Microsoft notes it has yet to see any active attacks exploiting these issues. Rated as “important,” the remaining five bulletins correct many remote code execution and privilege escalation issues. These include six vulnerabilities in SharePoint and the Ancillary Function Driver in Windows that could be used to allow elevation of privileges. Five holes in the Windows Color Control Panel, an issue in the Indeo Codec in Windows, and five problems in Visio Viewer — part of Microsoft Office — that could be used to remotely execute code were also closed. According to the latest reports, the updates to the Microsoft Windows Malicious Software Removal Tool (MSRT) and the company’s Forefront security products, which were released at the same time as Microsoft’s Patch Tuesday security updates, result in a false positive malware warning on Source:

40. February 15, Softpedia – (International) Waledac Botnet returns, steals passwords and credentials. In 2010, Microsoft was able to terminate the activity of the Waledac botnet, which at the time was famous for being a large source of spam. However, Palo Alto Networks researchers came across a new variant which is not only used for spamming, but also for stealing sensitive data from infected devices. The new version was spotted February 2. Experts conclude it is still sending spam, but it can also steal passwords and authentication data, including credentials for FTP, POP3, SMTP. Besides this, Waledac also steals .dat files for FTP and BitCoin and uploads them to the botnet. By relying on their WildFire systems, which enable a firewall to capture unknown files and analyze them in a malware sandbox, Palo Alto Networks was able to identify how the new variant behaves. Given the confusion created around the Kelihos botnet that was declared resurrected by Kaspersky, only to be put to sleep again by Microsoft, the company emphasizes this is not the old botnet, but a new variant. Source:

41. February 15, H Security – (International) Google Wallet PIN brute-forcing now without rooting. An attack on Google Wallet’s PIN protection — which required the phone be rooted so the the PIN information could be accessed — can be achieved on an un-rooted Android smartphone by using a Linux privilege escalation vulnerability. This is according to Zvelo, who found the original problem with the storage of the PIN used to protect the NFC-enabled wallet embedded in the Google Nexus. Rooting, it was pointed out, would usually mean all the data on the device was deleted in the process and Google advised users not to use Wallet on rooted devices. However, by exploiting a known Linux privilege vulnerability that exists in Android 4.0 and has proof of concept code available, it is possible to get root access to the device without deleting any data. Zvelo says this is enough to get access to the Google Wallet PIN data, which can be easily brute-forced as in their original attack. An attacker could also obtain the data and send it to a remote server where the PIN could be brute-forced even faster. Google announced it restored the provisioning service for pre-paid debit cards associated with Google Wallet NFC-enabled hardware. Google disabled the system after it was widely publicized it was possible to get access to the credit on the prepaid card. An attacker could reset the Google Wallet application data and restart the application, at which point they could enter a new PIN and reconnect the virtual pre-paid card associated with the device, giving access to any available credit on the pre-paid card. Source:

42. February 14, IDG News Service – (International) Mozilla to ask certificate authorities to revoke SSL-spying certificates. Mozilla plans to ask all certificate authorities to review their subordinate CA certificates and revoke those that could be used by companies to inspect secure sockets layer (SSL)-encrypted traffic for domain names they do not control. The plan, whose details are still being worked out, is Mozilla’s response to Trustwave’s recent claim the use of such certificates for SSL traffic management within corporate networks is a common practice. After a week of debating whether to punish Trustwave for violating its CA Certificate Policy, Mozilla decided to send a communication to all certificate authorities asking that they come clean about similar certificates and to revoke them. A grace period extended to CAs for the revocation of sub-CA certificates currently used for the inspection of SSL-encrypted traffic on corporate networks has not been decided, but according to the owner of Mozilla’s CA Certificates Module, a time frame of 2 or 3 months is being considered. After that, those caught with such a certificate would have their root keys removed from Mozilla’s products, and all certificates they ever signed would result in an error when opened in the browser. Source:

43. February 13, Government Computer News – (International) Cyber criminals find new way to exploit old Office hole. Cyberattackers found a new way to take advantage of an old Microsoft Office hole. Symantec researchers noticed a specially crafted trojan that exploits a previously patched vulnerability. The attack occurs when a user opens up an e-mail that contains a Microsoft Word file with a malicious Dynamic Link Library file (DLL). “The exploit makes use of an ActiveX control embedded in a Word document file,” a researcher at Symantec said. “When the Word document is opened, the ActiveX control calls fputlsat.dll which has the identical file name as the legitimate .dll file used for the Microsoft Office FrontPage Client Utility Library.” He said once this flaw is exploited, an attacker is free to load up an infected system with malware. He also advises that if a user sees an e-mail attachment with the file name ftutlsat.dll, proceed with caution. An e-mail with this type of attachment should be easy to spot, according to the researcher. The exploit, recently seen in the wild by the security firm, was previously fixed by Microsoft in September’s Security Update, bulletin MS11-073. The researcher warns that because the bulletin was only classified as “important” by Microsoft, it might have been overlooked. Source:

For another story, see item 44 below in the Communications Sector.

Communications Sector

44. February 15, – (North Carolina) Damaged cable slows internet for MI-Connection users. MI-Connection Communications System Internet customers in North Carolina have faced slowdowns over the past few days because of a damaged cable belonging to one of MI-Connection’s network providers, reported February 15. MI-Connection said it has “re-routed” traffic to alternate circuits, which is affecting streaming media, including YouTube, Netflix, and other applications. It wasn’t clear when full service might be restored. MI-Connection’s chief executive officer (CEO) said February 15 that it could be another day before workers repair the cable. MI-Connection’s provider is XO Communications. The problem emerged February 12, when XO notified MI-Connection of the problem. XO apparently did not have a backup line or re-routing in place. It sent a crew to begin repairs later Feburary 12, MI-Connection’s CEO said. MI-Connection lost about half its available network capacity, or bandwidth, in the incident. MI-Connection has about 10,300 Internet customers in north Mecklenburg and south Iredell. Source:

For another story, see item 41 above in the Information Technology Sector